ACK One registered clusters enable you to integrate on-premises Kubernetes clusters or Kubernetes clusters from other cloud providers into Alibaba Cloud Distributed Cloud Container Platform (ACK One), rapidly establishing a hybrid cloud environment. ACK One allows unified management of these Kubernetes clusters. This topic describes key considerations before using registered clusters.
Data security
Restricted mode is available in ACK One registered clusters. The
ack-cluster-agentcomponent deployed in self-managed Kubernetes clusters:Only accesses its own ConfigMap configurations
Does not read any cluster data
Performs no intrusive write operations
Ensures zero impact on existing workloads
If connecting an on-premises Kubernetes cluster through the public endpoint of an ACK One registered cluster, configure access control for the Server Load Balancer (SLB) of the API server that listens on port 6443 to prevent security risks.
Component management
ACK One registered clusters allow deploying cloud-native middleware capabilities, such as log collection, monitoring, and alerting, to your self-managed Kubernetes clusters. However, you may need to authorize these components to access specific cloud resources before using them. To perform authorization, provide your AccessKey information, grant the middleware permissions to access the required cloud resource, and create a Secret named alibaba-addon-secret to store your AccessKey information. For more information, see Grant permissions to a registered cluster.
Node pools
The node pool feature of ACK One registered clusters allows scaling cloud Elastic Compute Service (ECS) resources for self-managed Kubernetes clusters. For the node pool feature to work, make sure the following requirements are met:
Self-managed Kubernetes clusters must connect to ACK One registered clusters through internal network.
Make sure that the on-premises container network plug-in runs only in the on-premises network and the Terway plug-in runs only on ECS instances.
The script used to initialize the nodes in the self-managed Kubernetes clusters is prepared.
Networks
Ensure stable connectivity between your self-managed Kubernetes clusters/Kubernetes clusters from other cloud providers and Alibaba Cloud. When self-managed Kubernetes clusters access resources on Alibaba Cloud over the Internet, stability issues such as timeouts may occur.
ACK One registered clusters do not support creating or using Services of type LoadBalancer.
Others
The version, cluster initialization method, and node configurations of self-managed Kubernetes clusters are different from those of Container Service for Kubernetes (ACK) clusters. For example, the default node configuration file path or port used by components such as Container Storage Interface (CSI) and MetricServer are different from the configurations of external Kubernetes clusters. As a result, the components may fail to run as expected in these self-managed Kubernetes clusters. Therefore, the stability of these components is a shared responsibility between you and ACK.